Long-awaited changes to privacy laws proposed
On 12 September 2024 the Privacy and Other Legislation Amendment Bill 2024 (the Bill) tabled its first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) with a view to implementing a number of the legislative proposals that were agreed by the Government in its September 2023 Response to the Privacy Act Review. The Bill, if approved, will introduce a new statutory tort for serious invasions of privacy, enhanced regulatory powers for the Office of the Australian Information Commissioner (OAIC) and targeted criminal offences to respond to doxxing.
Record number of data breaches
The new Bill coincided with the latest release of new statistics from the OAIC which revealed that the number of data breaches notified to the regulator in the first half of 2024 was at its highest level in three and a half years. It is important to note however, that the number of data breaches notified is not a true reflection of the number of individuals affected by those breaches – for example, one of the 527 breaches notified was the MediSecure data breach which affected approximately 12.9 million Australians, the largest number of Australians affected by a breach since the Notifiable Data Breaches scheme came into effect.
The health sector and the Australian Government notified the most data breaches of all sectors (19 per cent and 12 per cent of all breaches respectively), highlighting that both the private and public sectors are vulnerable.
Privacy law changes
In the Bill’s Second Reading Speech, the Attorney General stated that:
“The Privacy Act has not kept pace with the adoption of digital technologies. The vast data flows that underpin digital ecosystems have also created the conditions for significant harms – like major data breaches that have revealed the sensitive information of millions of Australians, exposing us to the risk of identity fraud and scams.”
We report below on the major changes to the legislative framework including the Privacy Act and Australian Privacy Principles.
Currently there is no actionable tort for privacy breaches or invasions of a person’s privacy. The introduction of this tort is a first for the Australian legislature and would create a pathway to compensation for individual persons (not businesses) that are affected by a serious invasion of their privacy.
The outline within the Bill states:
An individual has a cause of action against another person if, among other things, the other person invaded the individual’s privacy by intruding upon their seclusion or misusing information relating to them… The court may grant remedies including damages.
The invasion of privacy must be serious and it must also be intentional or reckless.
In considering the “seriousness” of the invasion of privacy the Court may consider:
(a) the degree of any offence, distress or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff;
(b) whether the defendant knew or ought to have known that the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff;
(c) if the invasion of privacy was intentional—whether the defendant was motivated by malice.
The OAIC must, within 24 months of the Bill passing into law, develop an online privacy code for children. This Code is expected to impact how both social media platforms and other online services interact with children online.
There will be an enhancement to Australian Privacy Principle 8 – Cross-border disclosure of personal information to improve the transfer of personal information to an overseas entity.
The enhancement will require the recipient to be prescribed to laws that protect personal information about an individual in a way that is similar to the way in which the Australian Privacy Principles protect personal information.
The key changes of note are:
- A new Civil Penalty for non-serious privacy interference in section 13H. For example, this may cover instances where an Australian Privacy Principle (APP) entity fails to notify individuals of an eligible data breach as soon as practicable in accordance with subsection 26WL(3). There will be a maximum civil penalty of up to 2,000 penalty units for individuals – which is currently AU$660,000 - and 10,000 penalty units for entities, which is currently AU$3.3 million.
- Infringement notices for less serious privacy breaches with the OAIC having the ability to issue fines for less serious breaches of up to 200 penalty unites (AU$62,600). This would avoid the need for the OAIC to bring protracted litigation proceedings to pursue breaches. Examples of what would constitute a breach include non-compliant privacy policies and non-compliant data breach statements.
The term “doxxing” commonly refers to the malicious release of personal data online. The Bill proposes to introduce two offences in the Criminal Code Act 1995 (Cth) to respond to acts of this nature. These are:
(a) The publishing or distributing the ‘personal data’ of one or more individuals, using a carriage service (online) in a way that would be considered to be menacing or harassing to those individuals; and
(b) The offence as described above in circumstances where the information is personal data of one or more members of a group and the person engaging in the publication or distribution believes that the whole or part of that group is distinguished by race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin.
- the name of the individual;
- a photograph or other image of the individual;
- a telephone number of the individual;
- an email address of the individual;
- an online account of the individual;
- a residential address of the individual;
- a work or business address of the individual;
- a place of education of the individual;
- a place of worship of the individual.
Reform welcomed but more to be done
The reforms mark the first significant changes to Australia’s privacy laws and regulations in many years. It is clear that the Government intends to introduce amendments in tranches.
Australian Privacy Commissioner Carly Kind welcomed the reforms but stated much more needed to be done.
How to prepare for the changes
- Review your privacy policies and procedures for dealing with breaches of privacy. The proposed new enforcement powers can result in significant fines for non-compliant policies and procedures. A review of your policies to ensure compliance with the framework, alongside regularly scheduled reviews/updates will achieve better outcomes for users/clients and support the defence of any investigation by the OAIC for non-compliance.
- Improve how 'consent' is given by clients, particularly if your clients are children. Steps should be taken to clearly articulate how data will be collated and used to ensure that meaningful consent can be given for example, imposing an active opt-in from users or clients rather than simple 'I agree'.
- Strengthen your data protection and cyber security. This is an organisation's first line of defence against data breaches as well as the mechanism for protecting data. Both are critical to ensuring compliance with the impending amendments.
- Staff training, knowledge and education are key. Ensure all staff are aware of the organisation's broader responsibilities regarding the safe keeping of data to reduce the risk of any breach and allow staff to identify an issue sooner.